undefined | Better HN

0 pointsjrockway16y ago0 comments

And don't they use Rails, which presumably makes it very easy, if not the default, to escape HTML output?

0 comments

3 comments · 1 top-level

dnaquin16y ago· 2 in thread

PSA. Escaping html only helps if you're allowing user-generated text outside of any tag.

If you're allowing user-generated text into a html tag (ie. this case.) Escaping html tags won't help.

jrockwayOP16y ago

Why not?

The substitution they do is <a href="%s">, and you can "game that" by inserting 'http://foo.com> other stuff goes here <whatever foo="">' Fine. The literal HTML that the user sees becomes '<a href="http://foo.com>other stuff goes here <whatever foo="">'. That's bad.

Now if you escape that properly, you get: '<a href="http://foo.com&quot;&gt; other stuff goes here &lt;whatever foo=&quot;">' Garbage, but not a security problem.

(BTW, news.arc fucks up the escaping too, so this example is garbage. Sorry. See nopaste here: http://scsys.co.uk:8001/33063

Edit: sigh, that is also broken! Bottom line; none of these things will happen to you if you replace every & with &amp;, every " with &quot;, every ' with &apos;, every < with &lt; and every > with &gt;.)

dnaquin16y ago

Congratulations, you've just stopped one particular attack.

There'll be something you forget. Blacklisting is only a good idea if whitelisting isn't possible. (see the \w above)

eg. You forgot. javascript:alert(document.cookie) Which depends on click and in and of itself isn't dangerous but a symptom of a greater problem.

edit: except you need to allow more than \w.

j / k navigate · click thread line to collapse